Google set to enforce tighter SSL security in Chrome

Google is setting out higher standards for security in Chrome and other products created on it. The company is outlining major changes to its enforcement of SSL/TLS certificates on a post to the CA/Browser Forum Public Discussion List.

The focus of the change will be centered around minimum cryptographic requirements based on the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates and the enforcement of compliance with its Certificate Transparency program, aimed to weed out bogus certificates.

The Baseline Requirements, which bring stronger encryption to the Public Key Infrastructure, have been followed for the most part by Certificate Authorities, but only to a certain degree. There are prominent CAs still handing out flawed certificates all across the internet that fail to meet the Baseline Requirements.

One of which requirements is a lack address for either a CRL (Certificate Revocation List) or an OCSP (Online Certificate Status Protocol) server. For example, there are several sites operating with flawed certificates, including Avon in France which was just recently issued a certificate by Equifax that has no OSCP specified. It doesn't stop there either, non-compliant certificates have been issued by other companies like Symantec, Verizon Business, SwissSign and GoDaddy.

As a whole there really are very few non-compliant issued certificates, but the the number still sits in the thousands. The worst offenders, according to Netcraft, are GoDaddy and Comodo. Google is set to begin requiring that Extended Validation certificates fully support its Certificate Transparency initiative, by a date yet to be announced. Additionally, the enforcement will eventually apply to all certificates.

The tightened security measures are widely expected to help with the detection and blocking of fraudulent certificates.